[thirdparty/openssl.git] / NOTES-NONSTOP.md

NOTES FOR THE HPE NONSTOP PLATFORM
==============================

Requirement details
-------------------

In addition to the requirements and instructions listed
in [INSTALL.md](INSTALL.md), the following are required as well:

 * The TNS/X platform supports hardware randomization.
   Specify the `--with-rand-seed=rdcpu` option to the `./Configure` script.
   This is recommended but not required. `egd` is supported at 3.0 but cannot
   be used if FIPS is selected.
 * The TNS/E platform does not support hardware randomization, so
   specify the `--with-rand-seed=egd` option to the `./Configure` script.

About c99 compiler
------------------

The c99 compiler is required for building OpenSSL from source. While c11
may work, it has not been broadly tested. c99 is the only compiler
prerequisite needed to build OpenSSL 3.0 on this platform. You should also
have the FLOSS package installed on your system. The ITUGLIB FLOSS package
is the only FLOSS variant that has been broadly tested.

Threading Models
----------------

OpenSSL can be built either using the POSIX User Threads (PUT) threading model,
or with threading support disabled. Select the following build configuration
for each on the TNS/X (L-Series) platform:

 * `nonstop-nsx` or default will select an unthreaded 32-bit build.
 * `nonstop-nsx_64` selects an unthreaded 64-bit memory and file length build.
 * `nonstop-nsx_put` selects the PUT build.
 * `nonstop-nsx_64_put` selects the 64-bit memory and file length PUT build.

The SPT threading model is no longer supported as of OpenSSL 3.2.

### TNS/E Considerations

The TNS/E platform is build using the same set of builds specifying `nse`
instead of `nsx` in the set above.

You cannot build for TNS/E for FIPS, so you must specify the `no-fips`
option to `./Configure`.

Linking and Loading Considerations
----------------------------------

Because of how the NonStop Common Runtime Environment (CRE) works, there are
restrictions on how programs can link and load with OpenSSL libraries.
On current NonStop platforms, programs cannot both statically link OpenSSL
libraries and dynamically load OpenSSL shared libraries concurrently. If this
is done, there is a high probability of encountering a SIGSEGV condition
relating to `atexit()` processing when a shared library is unloaded and when
the program terminates. This limitation applies to all OpenSSL shared library
components.

A control has been added as of 3.3.x to disable calls to `atexit()` within the
`libcrypto` builds (specifically in `crypto/init.c`). This switch can be
controlled using `disable-atexit` or `enable-atexit`, and is disabled by default
for NonStop builds. If you need to have `atexit()` functionality, set
`enabled-atexit` when configuring OpenSSL to enable the `atexit()` call to
register `OPENSSL_cleanup()` automatically. Preferably, you can explicitly call
`OPENSSL_cleanup()` from your application.

About Prefix and OpenSSLDir
---------------------------

Because there are many potential builds that must co-exist on any given
NonStop node, managing the location of your build distribution is crucial.
Keep each destination separate and distinct. Mixing any mode described in
this document can cause application instability. The recommended approach
is to specify the OpenSSL version and threading model in your configuration
options, and keeping your memory and float options consistent, for example:

 * For 1.1 `--prefix=/usr/local-ssl1.1 --openssldir=/usr/local-ssl1.1/ssl`
 * For 1.1 PUT `--prefix=/usr/local-ssl1.1_put --openssldir=/usr/local-ssl1.1_put/ssl`

As of 3.0, the NonStop configurations use the multilib attribute to distinguish
between different models:

 * For 3.0 `--prefix=/usr/local-ssl3.0 --openssldir=/usr/local-ssl3.0/ssl`

The PUT model is placed in `${prefix}/lib-put` for 32-bit models and
`${prefix}/lib64-put` for 64-bit models.

Use the `_RLD_LIB_PATH` environment variable in OSS to select the appropriate
directory containing `libcrypto.so` and `libssl.so`. In GUARDIAN, use the
`=_RLD_LIB_PATH` search define to locate the GUARDIAN subvolume where OpenSSL
is installed.

Float Considerations
--------------------

OpenSSL is built using IEEE Float mode by default. If you need a different
IEEE mode, create a new configuration specifying `tfloat-x86-64` (for Tandem
Float) or `nfloat-x86-64` (for Neutral Float).

Memory Models
-------------

The current OpenSSL default memory model uses the default platform address
model. If you need a different address model, you must specify the appropriate
c99 options for compile (`CFLAGS`) and linkers (`LDFLAGS`).

Cross Compiling on Windows
--------------------------

To configure and compile OpenSSL, you will need to set up a Cygwin environment.
The Cygwin tools should include bash, make, and any other normal tools required
for building programs.

Your `PATH` must include the bin directory for the c99 cross-compiler, as in:

    export PATH=/cygdrive/c/Program\ Files\ \(x86\)/HPE\ NonStop/L16.05/usr/bin:$PATH

This should be set before Configure is run. For the c99 cross-compiler to work
correctly, you also need the `COMP_ROOT` set, as in:

    export COMP_ROOT="C:\Program Files (x86)\HPE NonStop\L16.05"

`COMP_ROOT` needs to be in Windows form.

`Configure` must specify the `no-makedepend` option otherwise errors will
result when running the build because the c99 cross-compiler does not support
the `gcc -MT` option. An example of a `Configure` command to be run from the
OpenSSL directory is:

    ./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu

Do not forget to include any OpenSSL cross-compiling prefix and certificate
options when creating your libraries.

The OpenSSL test suite will not run on your workstation. In order to verify the
build, you will need to perform the build and test steps in OSS in your NonStop
server. You can also build under gcc and run the test suite for Windows but that
is not equivalent.

**Note:** In the event that you are attempting a FIPS-compliant cross-compile,
be aware that signatures may not match between builds done under OSS and under
cross-compiles as the compilers do not necessarily generate identical objects.
Anything and everything to do with FIPS is outside the scope of this document.
Refer to the FIPS security policy for more information.

The following build configurations have been successfully attempted at one
point or another. If you are successful in your cross-compile efforts, please
update this list:

- nonstop-nsx_64
- nonstop-nsx_64_put

**Note:** Cross-compile builds for TNS/E have not been attempted, but should
follow the same considerations as for TNS/X above.

Also see the NSDEE discussion below for more historical information.

Cross Compiling with NSDEE
--------------------------

**Note:** None of these builds have been tested by the platform maintainer and
are supplied for historical value. Please submit a Pull Request to OpenSSL
should these need to be adjusted.

If you are attempting to build OpenSSL with NSDEE, you will need to specify
the following variables. The following set of compiler defines are required:

    # COMP_ROOT must be a full path for the build system (e.g. windows)
    COMP_ROOT=$(cygpath -w /path/to/comp_root)
    # CC must be executable by your shell
    CC=/path/to/c99

### Optional Build Variables

    DBGFLAG="--debug"
    CIPHENABLES="enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-rc4"

### Internal Known TNS/X to TNS/E Cross Compile Variables

The following definition is required if you are building on TNS/X for TNS/E
and have access to a TNS/E machine on your EXPAND network - with an example
node named `\CS3`:

    SYSTEMLIBS="-L/E/cs3/usr/local/lib"

Version Procedure (VPROC) Considerations
----------------------------------------

If you require a VPROC entry for platform version identification, use the
following variables:

### For Itanium

    OPENSSL_VPROC_PREFIX=T0085H06

### For x86

    OPENSSL_VPROC_PREFIX=T0085L01

### Common Definition

    export OPENSSL_VPROC=${OPENSSL_VPROC_PREFIX}_$(
        . VERSION.dat
        if [ -n "$PRE_RELEASE_TAG" ]; then
            PRE_RELEASE_TAG="-$PRE_RELEASE_TAG"
        fi
        if [ -n "$BUILD_METADATA" ]; then
            BUILD_METADATA="+$BUILD_METADATA"
        fi
        echo "$MAJOR.$MINOR.$PATCH$PRE_RELEASE_TAG$BUILD_METADATA" |\
            sed -e 's/[-.+]/_/g'
        )

Example Configure Targets
-------------------------

For OSS targets, the main DLL names will be `libssl.so` and `libcrypto.so`.
For GUARDIAN targets, DLL names will be `ssl` and `crypto`. The following
assumes that your PWD is set according to your installation standards.

    ./Configure nonstop-nsx           --prefix=${PWD} \
        --openssldir=${PWD}/ssl no-threads \
        --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
    ./Configure nonstop-nsx_g         --prefix=${PWD} \
        --openssldir=${PWD}/ssl no-threads \
        --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
    ./Configure nonstop-nsx_put       --prefix=${PWD} \
        --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
        --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
    ./Configure nonstop-nsx_64        --prefix=${PWD} \
        --openssldir=${PWD}/ssl no-threads \
        --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
    ./Configure nonstop-nsx_64_put    --prefix=${PWD} \
        --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
        --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
    ./Configure nonstop-nsx_g_tandem  --prefix=${PWD} \
        --openssldir=${PWD}/ssl no-threads \
        --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}

    ./Configure nonstop-nse           --prefix=${PWD} \
        --openssldir=${PWD}/ssl no-threads \
        --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
    ./Configure nonstop-nse_g         --prefix=${PWD} \
        --openssldir=${PWD}/ssl no-threads \
        --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
    ./Configure nonstop-nse_put       --prefix=${PWD} \
        --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
        --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
    ./Configure nonstop-nse_64        --prefix=${PWD} \
        --openssldir=${PWD}/ssl no-threads \
        --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
    ./Configure nonstop-nse_64_put    --prefix=${PWD} \
        --openssldir=${PWD}/ssl threads "-D_REENTRANT"
        --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
    ./Configure nonstop-nse_g_tandem  --prefix=${PWD} \
        --openssldir=${PWD}/ssl no-threads \
        --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
Commit	Line	Data
648cf924 RB	1	NOTES FOR THE HPE NONSTOP PLATFORM
	2	==============================
	3
	4	Requirement details
	5	-------------------
	6
	7	In addition to the requirements and instructions listed
	8	in [INSTALL.md](INSTALL.md), the following are required as well:
	9
	10	* The TNS/X platform supports hardware randomization.
	11	Specify the `--with-rand-seed=rdcpu` option to the `./Configure` script.
	12	This is recommended but not required. `egd` is supported at 3.0 but cannot
	13	be used if FIPS is selected.
	14	* The TNS/E platform does not support hardware randomization, so
	15	specify the `--with-rand-seed=egd` option to the `./Configure` script.
	16
	17	About c99 compiler
	18	------------------
	19
	20	The c99 compiler is required for building OpenSSL from source. While c11
	21	may work, it has not been broadly tested. c99 is the only compiler
	22	prerequisite needed to build OpenSSL 3.0 on this platform. You should also
	23	have the FLOSS package installed on your system. The ITUGLIB FLOSS package
	24	is the only FLOSS variant that has been broadly tested.
	25
	26	Threading Models
	27	----------------
	28
5cd17920 RB	29	OpenSSL can be built either using the POSIX User Threads (PUT) threading model,
	30	or with threading support disabled. Select the following build configuration
	31	for each on the TNS/X (L-Series) platform:
648cf924	32
5cd17920 RB	33	* `nonstop-nsx` or default will select an unthreaded 32-bit build.
5cd17920 RB	34	* `nonstop-nsx_64` selects an unthreaded 64-bit memory and file length build.
648cf924	35	* `nonstop-nsx_put` selects the PUT build.
5cd17920 RB	36	* `nonstop-nsx_64_put` selects the 64-bit memory and file length PUT build.
	37
	38	The SPT threading model is no longer supported as of OpenSSL 3.2.
648cf924 RB	39
	40	### TNS/E Considerations
	41
	42	The TNS/E platform is build using the same set of builds specifying `nse`
	43	instead of `nsx` in the set above.
	44
	45	You cannot build for TNS/E for FIPS, so you must specify the `no-fips`
d318fc95	46	option to `./Configure`.
648cf924	47
7b262527 RB	48	Linking and Loading Considerations
	49	----------------------------------
	50
	51	Because of how the NonStop Common Runtime Environment (CRE) works, there are
	52	restrictions on how programs can link and load with OpenSSL libraries.
	53	On current NonStop platforms, programs cannot both statically link OpenSSL
	54	libraries and dynamically load OpenSSL shared libraries concurrently. If this
	55	is done, there is a high probability of encountering a SIGSEGV condition
	56	relating to `atexit()` processing when a shared library is unloaded and when
	57	the program terminates. This limitation applies to all OpenSSL shared library
	58	components.
	59
99fb31c1 RB	60	A control has been added as of 3.3.x to disable calls to `atexit()` within the
	61	`libcrypto` builds (specifically in `crypto/init.c`). This switch can be
	62	controlled using `disable-atexit` or `enable-atexit`, and is disabled by default
	63	for NonStop builds. If you need to have `atexit()` functionality, set
	64	`enabled-atexit` when configuring OpenSSL to enable the `atexit()` call to
	65	register `OPENSSL_cleanup()` automatically. Preferably, you can explicitly call
	66	`OPENSSL_cleanup()` from your application.
7b262527	67
648cf924 RB	68	About Prefix and OpenSSLDir
	69	---------------------------
	70
	71	Because there are many potential builds that must co-exist on any given
	72	NonStop node, managing the location of your build distribution is crucial.
	73	Keep each destination separate and distinct. Mixing any mode described in
	74	this document can cause application instability. The recommended approach
	75	is to specify the OpenSSL version and threading model in your configuration
	76	options, and keeping your memory and float options consistent, for example:
	77
	78	* For 1.1 `--prefix=/usr/local-ssl1.1 --openssldir=/usr/local-ssl1.1/ssl`
	79	* For 1.1 PUT `--prefix=/usr/local-ssl1.1_put --openssldir=/usr/local-ssl1.1_put/ssl`
1501de33 RL	80
	81	As of 3.0, the NonStop configurations use the multilib attribute to distinguish
	82	between different models:
	83
648cf924	84	* For 3.0 `--prefix=/usr/local-ssl3.0 --openssldir=/usr/local-ssl3.0/ssl`
1501de33 RL	85
	86	The PUT model is placed in `${prefix}/lib-put` for 32-bit models and
	87	`${prefix}/lib64-put` for 64-bit models.
648cf924 RB	88
	89	Use the `_RLD_LIB_PATH` environment variable in OSS to select the appropriate
	90	directory containing `libcrypto.so` and `libssl.so`. In GUARDIAN, use the
	91	`=_RLD_LIB_PATH` search define to locate the GUARDIAN subvolume where OpenSSL
	92	is installed.
	93
	94	Float Considerations
	95	--------------------
	96
	97	OpenSSL is built using IEEE Float mode by default. If you need a different
	98	IEEE mode, create a new configuration specifying `tfloat-x86-64` (for Tandem
	99	Float) or `nfloat-x86-64` (for Neutral Float).
	100
	101	Memory Models
	102	-------------
	103
	104	The current OpenSSL default memory model uses the default platform address
	105	model. If you need a different address model, you must specify the appropriate
	106	c99 options for compile (`CFLAGS`) and linkers (`LDFLAGS`).
	107
d720e603 RB	108	Cross Compiling on Windows
	109	--------------------------
	110
	111	To configure and compile OpenSSL, you will need to set up a Cygwin environment.
	112	The Cygwin tools should include bash, make, and any other normal tools required
	113	for building programs.
	114
	115	Your `PATH` must include the bin directory for the c99 cross-compiler, as in:
	116
	117	export PATH=/cygdrive/c/Program\ Files\ \(x86\)/HPE\ NonStop/L16.05/usr/bin:$PATH
	118
	119	This should be set before Configure is run. For the c99 cross-compiler to work
	120	correctly, you also need the `COMP_ROOT` set, as in:
	121
	122	export COMP_ROOT="C:\Program Files (x86)\HPE NonStop\L16.05"
	123
	124	`COMP_ROOT` needs to be in Windows form.
	125
	126	`Configure` must specify the `no-makedepend` option otherwise errors will
	127	result when running the build because the c99 cross-compiler does not support
	128	the `gcc -MT` option. An example of a `Configure` command to be run from the
	129	OpenSSL directory is:
	130
	131	./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu
	132
	133	Do not forget to include any OpenSSL cross-compiling prefix and certificate
	134	options when creating your libraries.
	135
	136	The OpenSSL test suite will not run on your workstation. In order to verify the
	137	build, you will need to perform the build and test steps in OSS in your NonStop
	138	server. You can also build under gcc and run the test suite for Windows but that
	139	is not equivalent.
	140
	141	Note: In the event that you are attempting a FIPS-compliant cross-compile,
	142	be aware that signatures may not match between builds done under OSS and under
	143	cross-compiles as the compilers do not necessarily generate identical objects.
	144	Anything and everything to do with FIPS is outside the scope of this document.
	145	Refer to the FIPS security policy for more information.
	146
	147	The following build configurations have been successfully attempted at one
	148	point or another. If you are successful in your cross-compile efforts, please
	149	update this list:
	150
	151	- nonstop-nsx_64
	152	- nonstop-nsx_64_put
	153
	154	Note: Cross-compile builds for TNS/E have not been attempted, but should
5cd17920	155	follow the same considerations as for TNS/X above.
d720e603 RB	156
	157	Also see the NSDEE discussion below for more historical information.
	158
648cf924 RB	159	Cross Compiling with NSDEE
	160	--------------------------
	161
d720e603 RB	162	Note: None of these builds have been tested by the platform maintainer and
	163	are supplied for historical value. Please submit a Pull Request to OpenSSL
	164	should these need to be adjusted.
648cf924 RB	165
	166	If you are attempting to build OpenSSL with NSDEE, you will need to specify
	167	the following variables. The following set of compiler defines are required:
	168
	169	# COMP_ROOT must be a full path for the build system (e.g. windows)
	170	COMP_ROOT=$(cygpath -w /path/to/comp_root)
	171	# CC must be executable by your shell
	172	CC=/path/to/c99
	173
	174	### Optional Build Variables
	175
	176	DBGFLAG="--debug"
	177	CIPHENABLES="enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-rc4"
	178
	179	### Internal Known TNS/X to TNS/E Cross Compile Variables
	180
	181	The following definition is required if you are building on TNS/X for TNS/E
	182	and have access to a TNS/E machine on your EXPAND network - with an example
	183	node named `\CS3`:
	184
	185	SYSTEMLIBS="-L/E/cs3/usr/local/lib"
	186
	187	Version Procedure (VPROC) Considerations
	188	----------------------------------------
	189
	190	If you require a VPROC entry for platform version identification, use the
	191	following variables:
	192
	193	### For Itanium
	194
	195	OPENSSL_VPROC_PREFIX=T0085H06
	196
	197	### For x86
	198
	199	OPENSSL_VPROC_PREFIX=T0085L01
	200
	201	### Common Definition
	202
	203	export OPENSSL_VPROC=${OPENSSL_VPROC_PREFIX}_$(
	204	. VERSION.dat
	205	if [ -n "$PRE_RELEASE_TAG" ]; then
	206	PRE_RELEASE_TAG="-$PRE_RELEASE_TAG"
	207	fi
83a5bd80 RL	208	if [ -n "$BUILD_METADATA" ]; then
	209	BUILD_METADATA="+$BUILD_METADATA"
	210	fi
648cf924 RB	211	echo "$MAJOR.$MINOR.$PATCH$PRE_RELEASE_TAG$BUILD_METADATA" \|\
	212	sed -e 's/[-.+]/_/g'
	213	)
	214
	215	Example Configure Targets
	216	-------------------------
	217
	218	For OSS targets, the main DLL names will be `libssl.so` and `libcrypto.so`.
	219	For GUARDIAN targets, DLL names will be `ssl` and `crypto`. The following
	220	assumes that your PWD is set according to your installation standards.
	221
	222	./Configure nonstop-nsx --prefix=${PWD} \
	223	--openssldir=${PWD}/ssl no-threads \
	224	--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
	225	./Configure nonstop-nsx_g --prefix=${PWD} \
	226	--openssldir=${PWD}/ssl no-threads \
	227	--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
	228	./Configure nonstop-nsx_put --prefix=${PWD} \
	229	--openssldir=${PWD}/ssl threads "-D_REENTRANT" \
	230	--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
648cf924 RB	231	./Configure nonstop-nsx_64 --prefix=${PWD} \
	232	--openssldir=${PWD}/ssl no-threads \
	233	--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
	234	./Configure nonstop-nsx_64_put --prefix=${PWD} \
	235	--openssldir=${PWD}/ssl threads "-D_REENTRANT" \
	236	--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
	237	./Configure nonstop-nsx_g_tandem --prefix=${PWD} \
	238	--openssldir=${PWD}/ssl no-threads \
	239	--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
	240
	241	./Configure nonstop-nse --prefix=${PWD} \
	242	--openssldir=${PWD}/ssl no-threads \
	243	--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
	244	./Configure nonstop-nse_g --prefix=${PWD} \
	245	--openssldir=${PWD}/ssl no-threads \
	246	--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
	247	./Configure nonstop-nse_put --prefix=${PWD} \
	248	--openssldir=${PWD}/ssl threads "-D_REENTRANT" \
	249	--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
648cf924 RB	250	./Configure nonstop-nse_64 --prefix=${PWD} \
	251	--openssldir=${PWD}/ssl no-threads \
	252	--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
	253	./Configure nonstop-nse_64_put --prefix=${PWD} \
	254	--openssldir=${PWD}/ssl threads "-D_REENTRANT"
	255	--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
	256	./Configure nonstop-nse_g_tandem --prefix=${PWD} \
	257	--openssldir=${PWD}/ssl no-threads \
	258	--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}